Revocable shredding of security credentials

ABSTRACT

Customers accessing resources and/or data in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer. A multi-tenant cryptographic service can be used to manage cryptographic key material and/or other security resources in the multi-tenant environment. The cryptographic service can provide a mechanism in which the service can receive requests to use the cryptographic key material to access encrypted customer data, export key material out of the cryptographic service, destroy key material managed by the cryptographic service, among others. Such an approach can enable a customer to manage key material without exposing the key material outside a secure environment.

BACKGROUND

As an increasing number of applications and services are being madeavailable over networks such as the Internet, an increasing number ofcontent, application, and/or service providers are turning totechnologies such as cloud computing. Cloud computing, in general, is anapproach to providing access to electronic resources through services,such as Web services, where the hardware and/or software used to supportthose services is dynamically scalable to meet the needs of the servicesat any given time. A customer typically will rent, lease, or otherwisepay for access to resources through the cloud, such that the customerdoes not have to purchase and maintain the hardware and/or software toprovide access to these resources. A potential disadvantage to such anapproach, at least from a customer point of view, is that the resourcestypically are at a location under control of the provider of thoseresources, and thus are out of the direct control of the customer. Inorder to help ensure that resources allocated to the customer performtasks only under direction of that customer, the provider environmentcan support request authentication to prevent unauthorized parties fromaccessing the resources. Such a service might include a multi-tenant keymanagement service that maintains and manages one or more cryptographickeys owned by a customer. It is often the case, however, that customerswould like some assurance that the service provider can guaranteeagainst unauthorized access to the customer's data. This can include,for example, complying with lawful order to disclose data stored by theservice provider, which can result in the keys and underlying data beingexposed.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments in accordance with the present disclosure will bedescribed with reference to the drawings, in which:

FIG. 1 illustrates an example environment in which aspects of thevarious embodiments can be implemented, in accordance with anembodiment;

FIGS. 2( a), 2(b), 2(c), and 2(d) illustrate an example multi-tenantcryptographic service to store and manage customer cryptographic keymaterial and/or other security resources;

FIG. 3 illustrates an example process for managing a cryptographic key,in accordance with various embodiments;

FIG. 4 illustrates an example process for restoring key material in amulti-tenant environment, in accordance with an embodiment;

FIG. 5 illustrates example components of a client device; and

FIG. 6 illustrates an example of an environment for implementing aspectsin accordance with various alternate embodiments.

DETAILED DESCRIPTION

Systems and methods in accordance with various embodiments of thepresent disclosure may overcome one or more of the foregoing or otherdeficiencies experienced in conventional approaches to managing securityin an electronic environment. In particular, various embodiments providemechanisms for utilizing a secret management service to manage secrets,such as cryptographic key material and/or other security resources orcredentials, as well as ensuring authorized access to those secrets. Invarious embodiments, the secret management service provides a mechanismby which the service can receive requests to use cryptographic keymaterial, for example, to access customer data encrypted under that keymaterial, export encrypted data and/or key material out of the secretmanagement service without exposing the key material, or destroy keymaterial managed by the secret management service, among others. Invarious embodiments, activities that directly require use of keymaterial under control of the secret management service can be performedthrough application programming interfaces (APIs) that enable one ormore cryptographic operations to check-in, check-out, delete, and/orsuspend key material. Such functionality can, for example,advantageously ensure that key material cannot be extracted in a waythat it can be used without some level of policy enforcement and/oraudit trail provided by the service.

In various embodiments, a customer may want to remove or otherwisesuspend use of key material by the secret management service for someperiod of time, such as to limit the possibility of data exposure undervarious circumstances such as for licensing or other concerns. In suchinstances, a secret such as a restore key can be created and used toencrypt the key material, along with any metadata (e.g., policies) forthe key material. The key material, encrypted with the restore key, thencan be provided to the customer and the key material under control ofthe cryptographic service can be shredded or otherwise deleted. Thesecret management service would instead store a copy of the restore key.If the secret management service is required to disclose data it stores,the provider would at most disclose the restore key, but would not beable to disclose the key material as the provider no longer stores acopy of that material. If the customer subsequently desires to restorethe key material to the secret management, the customer can provide theencrypted key material back to the secret management service, and theservice can decrypt the encrypted key material using the restore keysuch that the key material can be used to access one or more resourcesand/or data secured by the key material.

Various other functions and advantages are described and suggested belowas may be provided in accordance with the various embodiments.

FIG. 1 illustrates an example environment 100 in which aspects of thevarious embodiments can be implemented. In this example a user, such asa customer of a provider of at least a portion of the environment, isable to utilize a client device 102 to communicate across at least onenetwork 104 with a resource provider environment 106. The client devicecan include any appropriate electronic device operable to send andreceive requests, messages, or other such information over anappropriate network and convey information back to a user of the device.Examples of such client devices include personal computers, tabletcomputers, smart phones, notebook computers, and the like. Thenetwork(s) 104 can include any appropriate network, including anintranet, the Internet, a cellular network, a local area network (LAN),or any other such network or combination, and communication over thenetwork can be enabled via wired and/or wireless connections. Theresource provider environment 106 can include any appropriate componentsfor receiving requests and returning information or performing actionsin response to those requests. As an example, the provider environmentmight include Web servers and/or application servers for receiving andprocessing requests, then returning data, Web pages, video, audio, orother such content or information in response to the request.

In various embodiments, the provider environment may include varioustypes of resources that can be utilized by multiple users orapplications for a variety of different purposes. In at least someembodiments, all or a portion of a given resource or set of resourcesmight be allocated to a particular user or allocated for a particulartask, for at least a determined period of time. The sharing of thesemulti-tenant resources from a provider environment is often referred toas resource sharing, Web services, or “cloud computing,” among othersuch terms and depending upon the specific environment and/orimplementation. In this example, the provider environment includes aplurality of resources 114 of one or more types. These types caninclude, for example, application servers operable to processinstructions provided by a user or database servers operable to processdata stored in one or more data stores 116 in response to a userrequest. As known for such purposes, the user can also reserve at leasta portion of the data storage in a given data store. Methods forenabling a user to reserve various resources and resource instances arewell known in the art, such that detailed description of the entireprocess, and explanation of all possible components, will not bediscussed in detail herein.

In at least some embodiments, an application executing on the clientdevice 102 that needs to access or utilize a portion of the resources114, which might be exposed as one or more services to which theapplication has subscribed, can submit a request that is received to aninterface layer 108 of the provider environment 106. The interface layercan include application programming interfaces (APIs) or other exposedinterfaces enabling a user to submit requests, such as Web servicerequests, to the provider environment. The interface layer 108 in thisexample can also include other components as well, such as at least oneWeb server, routing components, load balancers, and the like. When arequest to access a resource is received at the interface layer 108 insome embodiments, information for the request can be directed to aresource manager 110 or other such system, service, or componentconfigured to manage user accounts and information, resourceprovisioning and usage, and other such aspects. A resource manager 110receiving the request can perform tasks such as to authenticate anidentity of the user submitting the request, as well as to determinewhether that user has an existing account with the resource provider,where the account data may be stored in at least one data store 112 inthe provider environment.

An interface layer 108 in at least one embodiment includes a scalableset of customer-facing servers that can provide the various APIs andreturn the appropriate responses based on the API specifications. Theinterface layer also can include at least one API service layer that inone embodiment consists of stateless, replicated servers which processthe externally-facing customer APIs. The interface layer can beresponsible for Web service front end features such as authenticatingcustomers based on credentials, authorizing the customer, throttlingcustomer requests to the API servers, validating user input, andmarshaling or un-marshaling requests and responses. The API layer alsocan be responsible for reading and writing database configuration datato/from the administration data store, in response to the API calls. Inmany embodiments, the Web services layer and/or API service layer willbe the only externally visible component, or the only component that isvisible to, and accessible by, customers of the control service. Theservers of the Web services layer can be stateless and scaledhorizontally as known in the art. API servers, as well as the persistentdata store, can be spread across multiple data centers in a region, forexample, such that the servers are resilient to single data centerfailures.

A host machine 136 in at least one embodiment can include a multi-tenantcryptographic service or other key management service 130 and a trustedplatform module 140. In at least one embodiment, the cryptographicservice can manage customer cryptographic key information or othercustomer key material used for protecting customer data byauthenticating and authorizing customer requests for cryptographicmaterial and/or operations. The trusted platform module, for example,can provide secure key storage and cryptographic operations.

In accordance with an embodiment, the cryptographic service can storeone or more keys 142 (herein also known as key material, cryptographickeys, keys) in the trusted platform module 140 for one or morecustomers. Cryptographic operations which access encrypted customer datawill invoke APIs on the cryptographic service to decrypt that data usingcustomer keys stored in the trusted platform module. For example, theservice can receive requests to use the keys to access encryptedcustomer data, to export key material out of the cryptographic service,to destroy key material managed by the cryptographic service, amongothers. In at least some embodiments, the customer can access or utilizethe cryptographic service by submitting a request that is received bythe interface layer 108. It should be noted that although host machine136 is shown outside the provider environment, in accordance withvarious embodiments the cryptographic service and the trusted platformcan both be included in provider environment 106, while in otherembodiments, one or the other can be included in the providerenvironment.

As mentioned, however, certain customers might want more assurance thatkey material stored in the trusted platform module cannot be extractedin a way that it can be used without some level of policy enforcementand/or audit trail provided by the service. Further, at least somecustomers might find it desirable that for some particular interval oftime key material is not accessible by the cryptographic service. Thatcan be due to a number of considerations, for example, licensingconsiderations wherein a license agreement for use of particularmaterial is temporarily suspended or otherwise requires a customer tonot be able to access particular data, and/or security considerationswherein a customer may not need such cryptographic services for aparticular interval of time and prefers to remove key material from thecryptographic service and/or permanently destroy key material.Unfortunately such destruction may be inadvertent or at some point laterthe customer may realize that they did not want the key materialdestroyed.

In accordance with various embodiments, by instead temporally suspendinguse of the key material such that the resource provider loses all accessto it, the customer can maintain the key material (e.g., in an encryptedform that cannot be used outside the provider environment), and at someother point in time, can provide the key material back to the resourceprovider to reinstate the suspended key material. Accordingly, inaccordance with various embodiments, when a customer desires to removeor otherwise suspend key material under management of the cryptographicservice, such key material can be provided to the customer (i.e., inencrypted form), and the related key material under control of thecryptographic service shredded or otherwise deleted. If the customerlater desires to restore the key material in their possession, thecustomer can provide the key material to the service, wherein theservice can decrypt the key material such that the key material can beused by the customer. Various other applications, processes, and usesare presented below with respect to the various embodiments.

FIGS. 2( a), 2(b), 2(c), and 2(d) illustrate an example multi-tenantcryptographic service that stores and manages customer cryptographic keymaterial and/or other security resources, in accordance with variousembodiments. As described, in such a service, cryptographic operationswhich access encrypted customer data can invoke APIs on thecryptographic service to decrypt customer data using customer keymaterial managed by the cryptographic service. In various embodiments, acustomer can cause the cryptographic service to perform export andimport operations on the key material. Additionally, the user can causethe cryptographic service to destroy customer key material managed bythe cryptographic service. In accordance with an embodiment, destroyingkey material may range from destroying at least one copy of keymaterial, to using one or more operations overriding some or all copiesof the key material in some or all system components such that the keymaterial cannot be retrieved without a level of effort greater thanbefore when the key was destroyed.

As shown in situation 200 in FIG. 2( a), a customer is able to utilize aclient device 202 to communicate across at least one network 204 with amulti-tenant cryptographic service 230. As described, the cryptographicservice manages one or more customer cryptographic keys and/or othersecurity resources, where the cryptographic keys and/or other securityresources cannot be directly exported out of the service (i.e., withoutfirst being encrypted), and can be provided in a resource providerenvironment (such as resource provider environment 106). A customer hasan account including at least one key, “K1 242”, managed by thecryptographic service, the resource provider environment, or anotherentity. K1 and other customer key information and/or securityinformation such as metadata can be stored in at least one database 232managed by the cryptographic service. When the customer makes a requestto the cryptographic service calling a suspend API, K1 242 can beexported to the customer in an encrypted form. For example, as shown insituation 220 in FIG. 2 b), in response to such a request, thecryptographic service creates a restore key, “K1_restore 244” or othersuch key in the account of the customer, where K1_restore 244 is used toencrypt K1 242 along with at least a portion of the metadata associatedwith K1 242 using any known cryptography. The metadata, in variousembodiments, can include policies associated with K1, an identifier ofan account in which K1 is present, the name of K1, history informationregarding usage of K1, audit information, or any other informationassociated with K1 and/or the customer. In some embodiments, at least aportion of the metadata can be associated with K1_restore, whereinitiating a suspend request can cause the metadata to be updated withaudit information, such as a time of initiating the suspend request, anidentifier of a customer initiating the suspend request, locationinformation of the customer initiating the suspend request, etc. Themetadata can be encrypted and a copy of the encrypted metadata can beretained at the key management service.

Having created K1_restore 244 and encrypting K1 under K1_restore, thecryptographic service exports K1 as encrypted under K1_restore 246 tothe client device and at least a portion of the associated metadata.Additionally or alternatively, as described, such metadata can bepreserved in the cryptographic service or some other service and only K1as encrypted under K1_restore 246 is exported. The cryptographic serviceor other service of the resource provider environment then marks K1 242as pending deletion. In response to the customer acknowledging receiptof K1 as encrypted under K1_resore 246, the cryptographic service shredsK1 242, at which point the cryptographic service no longer has anyrecord of K1 242. In the event that the customer fails to receive K1 asencrypted under K1_restore 246, the customer can, in some embodiments,request the export API again, which can return the same value (i.e., K1as encrypted under K1_restore 246) such that a failed connection willnot cause an irrevocable loss of data.

At some later point in time, the customer may desire to access dataencrypted by K1 242. Accordingly, the customer can call an import API,passing K1 as encrypted under K1_restore 246 to the cryptographicservice. For example, in situation 250 in FIG. 2( c), the customer callsthe import API and passes K1 as encrypted under K1_restore 246 to thecryptographic service. In this situation, one or more authenticationencryption algorithms can use K1_restore 244 to decrypt K1 as encryptedunder K1_restore 246 to determine K1 242. Further, the cryptographicservice can use any metadata associated with K1 242, either byconsulting the database 232, or by analyzing the data encoded in the keymaterial attempting to be imported to authorize the decryption of K1 asencrypted under K1_restore 246. For example, the contents of themetadata included in the restore request can be compared to the contentsof the metadata stored at the key management service, where the contentscan indicate customers authorized to perform a restore request,requirements of such a request such as timing requirements, quorumrequirements, among others. Additionally, authorizing the restorerequest can include ensuring that copies of the metadata includesubstantially the same information, where different information betweenthe copies of the metadata can cause the restore operation to abort.

In some embodiments, in response to the import, the cryptographicservice may irrevocably shred K1_restore 244 to ensure that if K1 242 isexported again, there is only one version that can be imported, while inother embodiments, it may be possible to import a key having differentversions of encryption. After the import, K1 242 is available for use,as shown in situation 270 in FIG. 2( d), by the customer such that thecustomer can access data encrypted by K1 242.

FIG. 3 illustrates an example process for managing a cryptographic key,in accordance with an embodiment. It should be understood that, for anyprocess described herein, that there can be additional or fewer stepsperformed in similar or alternative orders, or in parallel, within thescope of the various embodiments unless otherwise stated. A secret, suchas cryptographic key material and/or other security resources orcredentials is stored for a customer in a data store managed by a keymanagement service, such as a cryptographic service. The customer canmake a request 302 to the cryptographic service calling a suspend API tosuspend storage of the cryptographic key by the key management service.In such a case, the customer's key (i.e., a master key) can be encryptedand exported out of the cryptographic service. For example, in responseto the suspend request, the cryptographic service generates 304 a newkey (e.g., a restore key) to be associated with the customer, and therestore key is used to encrypt 306 the master key along with at least aportion of the metadata associated with the master key. Having generatedthe restore key and encrypting the master key with the restore key, thecryptographic service exports 308 the encrypted master key to thecustomer. In some instances, the encrypted master key is retained at thecryptographic service and the restore key is provided to the customer.In accordance with various embodiments, customer cryptographic keys(e.g., such as master keys, restore keys, rotate keys, among others) canbe associated with information usable to determine which of thecryptographic operations is supported, which may be a policy, a usagebit, etc. For example, the restore key can include usage bits indicatingthat it is only usable for import/export of key material. In accordancewith other embodiments, once the export is completed, the usage bitspermitting the export of key material can be cleared such that therestore key is then only usable to import customer key material.

The cryptographic service marks or otherwise flags the master key aspending deletion, and in response to the customer acknowledging receiptof the encrypted master key, the cryptographic service shreds 310 orotherwise destroys at least one copy of the master key stored by thecryptographic service, at which point the cryptographic service isunable to provide a copy of the master key and requests to performoperations using the master key can no longer be satisfied. In the eventthat the customer fails to receive the encrypted master key, thecustomer can again request the export API, which will return the samevalue (e.g., the master key as encrypted under the restore key) suchthat a failed connection will not cause an irrevocable loss of data, forexample, because the master key cannot be recovered. In otherembodiments, if an acknowledgement receipt is not received within apredetermined period of time from exporting the encrypted master key(e.g., 5 minutes), the encrypted master key can automatically beexported to the customer to one or more predetermined locations.

At some later point in time, the customer may desire to access dataencrypted by the master key. Accordingly, the customer can call 312 animport API, or other restore request, to cause the cryptographic serviceto store a copy of the cryptographic key, where the restore requestincludes a copy of the master key as encrypted under the restore key (orthe restore key in the instance the restore key was provided to thecustomer). The copy of the master key encrypted under the restore key isdecrypted 314 using the restore key, and the master key is stored in thecryptographic service on behalf of the customer. The master key is madeavailable 316 to the customer, where the customer can invoke APIs on thecryptographic service to decrypt/encrypt customer data using therestored master key.

In accordance with various embodiments, a security conscious customermay desire to rotate (e.g., change) the key material used to encrypt themaster key. For example, in the instance where a master key is encryptedunder a restore key, the restore key can be encrypted under some otherkey material (e.g., a rotate key), and the rotate key can be rotatedperiodically. In this situation, the customer maintains in theirpossession the master key encrypted under the restore key. The restorekey can be encrypted under a rotate key, and the restore key encryptedunder the rotate key can be provided to the customer. When the customerprovides the restore key encrypted under the rotate key to thecryptographic service, the restore key is decrypted using the rotatekey, encrypted under a second rotate key, and provided to the customer.Accordingly, the customer maintains the master key encrypted under therestore key and the restore key encrypted under the second rotate key,and the cryptographic service maintains the second rotate key. Thisprocess can continue such that the key material used to encrypt themaster key is rotated periodically.

In another embodiment, the restore key can be rotated in a fixedinterval for a predetermined period of time and provided to the customeror to a party designated by the customer. For example, the restore keycan be encrypted under a first rotate key and the restore key encryptedunder the first rotate key can be provided to the customer. After someperiod of time, the restore key can be encrypted under a second rotatekey, and the restore key encrypted under the second rotate key can beprovide to the customer. This process can continue for a designatednumber of rotations, for a certain amount of time, or some otherrotation pattern. In yet another embodiment, the customer can providethe master key encrypted under the restore key in exchange for a masterkey encrypted under a second restore key. It should be noted that thedescribed examples are not to be taking as limiting, and that variousother approaches to rotating key material can be implemented inaccordance with the various embodiments described herein.

In various other embodiments, in addition to, or instead or rotating keymaterial used to encrypt other key material, a customer may elect tohave the restore key expire after a determined period of time, e.g.,such as when the customer fails to replace the master key encryptedunder the restore key with a master key encrypted under a differentrestore key. Additionally or alternatively, in accordance with anembodiment, time sensitive metadata can be included with the master keyencrypted with the restore key such that an encrypted master key cannotbe authenticated due to expired metadata after a defined period of timeif the master key is not updated with a different encryption, such as bybeing encrypted under a different restore key.

FIG. 4 illustrates an example process for restoring key material in amulti-tenant environment, in accordance with an embodiment. As describedin FIG. 3, the customer can call an import API, wherein the customerpasses the encrypted master key to the cryptographic service to berestored. However, in some instances, a customer may require a quorum toperform the restore of the master key, for example, by setting a policy,usage bit, or some other user preference setting that requires therestore of the master key to be authorized by multiple parties. In sucha situation, encrypted key material is provided to two or morecustomers, and the encrypted key material is required to restore themaster key. For example, a master key encrypted under a first restorekey can be provided 402 to a first customer and the first restore keyencrypted under a second restore key can be provided 404 to a secondcustomer, wherein the first customer and the second customer areauthorized users of the key material. Upon receiving receipt of therestore material from the first customer and the second customer, themaster key is shredded 406. It should be noted that key material can bespilt or otherwise shared between two or more parties in a number ofways. For example, in other embodiments, the master key can be encryptedunder the restore key, and the master key encrypted under the restorekey can be spilt using any known secret splitting algorithm, such asShamir's secret sharing algorithm. The spilt master key encrypted underthe restore key can then be provided to two or more authorizedcustomers, as described above.

When a restore operation is called 408, if each of the first restore keyand the first restore key encrypted under the second restore are notprovided to the cryptographic service, the restore operation aborts 410.If each of the first restore key and the first restore key encryptedunder the second restore key is provided to the cryptographic service,then the restore operation can proceed. In accordance with anembodiment, the first restore key and the first restore key encryptedunder the second restore key can be provided to the cryptographicservice in any order. In various other embodiments, the key material isprovided to the cryptographic service in a particular order. Forexample, the first restore key encrypted under the second restore key isprovided to the cryptographic service before the first restore key. Uponreceiving the key material from the first customer and the secondcustomer, the cryptographic service first restores 412 the first restorekey encrypted under the second restore key using the second restore key.The cryptographic service then restores 414 the master key encryptedunder the first restore key using the first restore key.

In accordance with various embodiments, some of the quorum requirementsmay only be active after a particular period of time. For example,within a first period of time (e.g., 24 hours), the encrypted keymaterial can be unilaterally restored, and a second period of timegreater than the first period of time, the encrypted key material canrequire multiple parties to restore the encrypted key material. Invarious other embodiments, restoring key material can cause thecryptographic service to provide a notification to any authorized partyof the key material that encrypted key material has been restored.Further, in some embodiments, causing the notification to be sent cancause decrypting the encrypted key material to be delayed at least apredetermined period of time. For example, in response to receiving arestore request, a notification can be sent to one or more authorizedcustomers of the encrypted key material. At the expiration of apredetermined period of time (e.g., 15 minutes), the encrypted key isdecrypted and made available for use.

Further, in accordance with various embodiments, a customer can enable akey recover function, where a key can be configured such that anyattempt to shred or export key will cause an encrypted copy of the keyto be sent to a predefined location. In some embodiments, the definedlocation might be configured to be unchangeable. In other embodiments,the location might be in an account different from the account in whichthe key was created, as configured by the customer, such that to importthe key a request needs to be made in the context of either the creatingaccount, a different authorized account, or both accounts.

FIG. 5 illustrates a logical arrangement of a set of general componentsof an example computing device 500. In this example, the device includesa processor 502 for executing instructions that can be stored in amemory device or element 504. As would be apparent to one of ordinaryskill in the art, the device can include many types of memory, datastorage, or non-transitory computer-readable storage media, such as afirst data storage for program instructions for execution by theprocessor 502, a separate storage for images or data, a removable memoryfor sharing information with other devices, etc. The device typicallywill include some type of display element 506, such as a touch screen orliquid crystal display (LCD), although devices such as portable mediaplayers might convey information via other means, such as through audiospeakers. As discussed, the device in many embodiments will include atleast one input element 508 able to receive conventional input from auser. This conventional input can include, for example, a push button,touch pad, touch screen, wheel, joystick, keyboard, mouse, keypad, orany other such device or element whereby a user can input a command tothe device. In some embodiments, however, such a device might notinclude any buttons at all, and might be controlled only through acombination of visual and audio commands, such that a user can controlthe device without having to be in contact with the device. In someembodiments, the computing device 500 of FIG. 5 can include one or morecommunication elements 510, such as a Wi-Fi, Bluetooth, RF, wired, orwireless communication system. The device in many embodiments cancommunicate with a network, such as the Internet, and may be able tocommunicate with other such devices. The device 500 also can include atleast one key store 512, which can be implemented through hardwareand/or software. The key store can be a portion of memory, a portion ofa local data store, etc. Access to the key store can be restricted toone or more applications, components, users, etc.

As discussed, different approaches can be implemented in variousenvironments in accordance with the described embodiments. For example,FIG. 6 illustrates an example of an environment 600 for implementingaspects in accordance with various embodiments. As will be appreciated,although a Web-based environment is used for purposes of explanation,different environments may be used, as appropriate, to implement variousembodiments. The system includes an electronic client device 602, whichcan include any appropriate device operable to send and receiverequests, messages or information over an appropriate network 604 andconvey information back to a user of the device. Examples of such clientdevices include personal computers, cell phones, handheld messagingdevices, laptop computers, set-top boxes, personal data assistants,electronic book readers and the like. The network can include anyappropriate network, including an intranet, the Internet, a cellularnetwork, a local area network or any other such network or combinationthereof. Components used for such a system can depend at least in partupon the type of network and/or environment selected. Protocols andcomponents for communicating via such a network are well known and willnot be discussed herein in detail. Communication over the network can beenabled via wired or wireless connections and combinations thereof. Inthis example, the network includes the Internet, as the environmentincludes a Web server 606 for receiving requests and serving content inresponse thereto, although for other networks an alternative deviceserving a similar purpose could be used, as would be apparent to one ofordinary skill in the art.

The illustrative environment includes at least one application server608 and a data store 610. It should be understood that there can beseveral application servers, layers or other elements, processes orcomponents, which may be chained or otherwise configured, which caninteract to perform tasks such as obtaining data from an appropriatedata store. As used herein the term “data store” refers to any device orcombination of devices capable of storing, accessing and retrievingdata, which may include any combination and number of data servers,databases, data storage devices and data storage media, in any standard,distributed or clustered environment. The application server can includeany appropriate hardware and software for integrating with the datastore as needed to execute aspects of one or more applications for theclient device and handling a majority of the data access and businesslogic for an application. The application server provides access controlservices in cooperation with the data store and is able to generatecontent such as text, graphics, audio and/or video to be transferred tothe user, which may be served to the user by the Web server in the formof HTML, XML or another appropriate structured language in this example.The handling of all requests and responses, as well as the delivery ofcontent between the client device 602 and the application server 608,can be handled by the Web server 606. It should be understood that theWeb and application servers are not required and are merely examplecomponents, as structured code discussed herein can be executed on anyappropriate device or host machine as discussed elsewhere herein.

The data store 610 can include several separate data tables, databasesor other data storage mechanisms and media for storing data relating toa particular aspect. For example, the data store illustrated includesmechanisms for storing production data 612 and user information 616,which can be used to serve content for the production side. The datastore also is shown to include a mechanism for storing log or sessiondata 614. It should be understood that there can be many other aspectsthat may need to be stored in the data store, such as page imageinformation and access rights information, which can be stored in any ofthe above listed mechanisms as appropriate or in additional mechanismsin the data store 610. The data store 610 is operable, through logicassociated therewith, to receive instructions from the applicationserver 608 and obtain, update or otherwise process data in responsethereto. In one example, a user might submit a search request for acertain type of item. In this case, the data store might access the userinformation to verify the identity of the user and can access thecatalog detail information to obtain information about items of thattype. The information can then be returned to the user, such as in aresults listing on a Web page that the user is able to view via abrowser on the user device 602. Information for a particular item ofinterest can be viewed in a dedicated page or window of the browser.

Each server typically will include an operating system that providesexecutable program instructions for the general administration andoperation of that server and typically will include computer-readablemedium storing instructions that, when executed by a processor of theserver, allow the server to perform its intended functions. Suitableimplementations for the operating system and general functionality ofthe servers are known or commercially available and are readilyimplemented by persons having ordinary skill in the art, particularly inlight of the disclosure herein.

The environment in one embodiment is a distributed computing environmentutilizing several computer systems and components that areinterconnected via communication links, using one or more computernetworks or direct connections. However, it will be appreciated by thoseof ordinary skill in the art that such a system could operate equallywell in a system having fewer or a greater number of components than areillustrated in FIG. 6. Thus, the depiction of the system 600 in FIG. 6should be taken as being illustrative in nature and not limiting to thescope of the disclosure.

As discussed above, the various embodiments can be implemented in a widevariety of operating environments, which in some cases can include oneor more user computers, computing devices, or processing devices whichcan be used to operate any of a number of applications. User or clientdevices can include any of a number of general purpose personalcomputers, such as desktop or laptop computers running a standardoperating system, as well as cellular, wireless, and handheld devicesrunning mobile software and capable of supporting a number of networkingand messaging protocols. Such a system also can include a number ofworkstations running any of a variety of commercially-availableoperating systems and other known applications for purposes such asdevelopment and database management. These devices also can includeother electronic devices, such as dummy terminals, thin-clients, gamingsystems, and other devices capable of communicating via a network.

Various aspects also can be implemented as part of at least one serviceor Web service, such as may be part of a service-oriented architecture.Services such as Web services can communicate using any appropriate typeof messaging, such as by using messages in extensible markup language(XML) format and exchanged using an appropriate protocol such as SOAP(derived from the “Simple Object Access Protocol”). Processes providedor executed by such services can be written in any appropriate language,such as the Web Services Description Language (WSDL). Using a languagesuch as WSDL allows for functionality such as the automated generationof client-side code in various SOAP frameworks.

Most embodiments utilize at least one network that would be familiar tothose skilled in the art for supporting communications using any of avariety of commercially-available protocols, such as TCP/IP, OSI, FTP,UPnP, NFS, CIFS, and AppleTalk. The network can be, for example, a localarea network, a wide-area network, a virtual private network, theInternet, an intranet, an extranet, a public switched telephone network,an infrared network, a wireless network, and any combination thereof.

In embodiments utilizing a Web server, the Web server can run any of avariety of server or mid-tier applications, including HTTP servers, FTPservers, CGI servers, data servers, Java servers, and businessapplication servers. The server(s) also may be capable of executingprograms or scripts in response requests from user devices, such as byexecuting one or more Web applications that may be implemented as one ormore scripts or programs written in any programming language, such asJava®, C, C# or C++, or any scripting language, such as Perl, Python, orTCL, as well as combinations thereof. The server(s) may also includedatabase servers, including without limitation those commerciallyavailable from Oracle®, Microsoft®, Sybase®, and IBM®.

The environment can include a variety of data stores and other memoryand storage media as discussed above. These can reside in a variety oflocations, such as on a storage medium local to (and/or resident in) oneor more of the computers or remote from any or all of the computersacross the network. In a particular set of embodiments, the informationmay reside in a storage-area network (“SAN”) familiar to those skilledin the art. Similarly, any necessary files for performing the functionsattributed to the computers, servers, or other network devices may bestored locally and/or remotely, as appropriate. Where a system includescomputerized devices, each such device can include hardware elementsthat may be electrically coupled via a bus, the elements including, forexample, at least one central processing unit (CPU), at least one inputdevice (e.g., a mouse, keyboard, controller, touch screen, or keypad),and at least one output device (e.g., a display device, printer, orspeaker). Such a system may also include one or more storage devices,such as disk drives, optical storage devices, and solid-state storagedevices such as random access memory (“RAM”) or read-only memory(“ROM”), as well as removable media devices, memory cards, flash cards,etc.

Such devices also can include a computer-readable storage media reader,a communications device (e.g., a modem, a network card (wireless orwired), an infrared communication device, etc.), and working memory asdescribed above. The computer-readable storage media reader can beconnected with, or configured to receive, a computer-readable storagemedium, representing remote, local, fixed, and/or removable storagedevices as well as storage media for temporarily and/or more permanentlycontaining, storing, transmitting, and retrieving computer-readableinformation. The system and various devices also typically will includea number of software applications, modules, services, or other elementslocated within at least one working memory device, including anoperating system and application programs, such as a client applicationor Web browser. It should be appreciated that alternate embodiments mayhave numerous variations from that described above. For example,customized hardware might also be used and/or particular elements mightbe implemented in hardware, software (including portable software, suchas applets), or both. Further, connection to other computing devicessuch as network input/output devices may be employed.

Storage media and computer readable media for containing code, orportions of code, can include any appropriate media known or used in theart, including storage media and communication media, such as but notlimited to volatile and non-volatile, removable and non-removable mediaimplemented in any method or technology for storage and/or transmissionof information such as computer readable instructions, data structures,program modules, or other data, including RAM, ROM, EEPROM, flash memoryor other memory technology, CD-ROM, digital versatile disk (DVD) orother optical storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, or any other medium which canbe used to store the desired information and which can be accessed bythe a system device. Based on the disclosure and teachings providedherein, a person of ordinary skill in the art will appreciate other waysand/or methods to implement the various embodiments.

The specification and drawings are, accordingly, to be regarded in anillustrative rather than a restrictive sense. It will, however, beevident that various modifications and changes may be made thereuntowithout departing from the broader spirit and scope of the invention asset forth in the claims.

What is claimed is:
 1. A computer implemented method for managing acryptographic key, comprising: storing, in a data store managed by a keymanagement service, a cryptographic key for use in encrypting data for acustomer of a service provider associated with the cryptographic key,the key management service being operated in a service providerenvironment of the service provider; receiving a suspend request tosuspend storage of the cryptographic key by the key management service;generating a restore key to be associated with the customer; encryptingthe cryptographic key with the restore key; encrypting at least aportion of metadata associated with the cryptographic key under therestore key to generate encrypted metadata, the at least a portion ofmetadata being associated with the restore key; updating the at least aportion of metadata with audit information and retaining a copy of theencrypted metadata at the key management service; sending, to thecustomer, the cryptographic key as encrypted under the restore key;destroying any copy of the cryptographic key stored by the keymanagement service; receiving a restore request to cause to the keymanagement service to store a copy of the cryptographic key, the restorerequest including a copy of the cryptographic key as encrypted under therestore key; comparing at least a copy of metadata received with therestore request with the copy of the encrypted metadata at the keymanagement service; authorizing the restore request based at least inpart on the comparing; and decrypting the copy of the cryptographic keyas encrypted under the restore key using the restore key and storing thecopy of the cryptographic key and a copy of the encrypted metadata inthe key management service on behalf of the customer.
 2. The computerimplemented method of claim 1, wherein the audit information indicatesat least one of a customer initiating the suspend request or a time ofinitiating the suspend request.
 3. A computer implemented method,comprising: storing, on behalf of a customer, a local copy of a secretusable to perform operations in a service provider environment;receiving a request at a key management service in a service providerenvironment to suspend storage of the local copy of the secret;generating a restore key; encrypting the local copy of the secret withthe restore key to generate the secret encrypted under the restore key;encrypting at least a portion of metadata associated with the secretunder the restore key to generate encrypted metadata, the at least aportion of metadata being associated with the restore key; updating theat least a portion of metadata with audit information and retaining acopy of the encrypted metadata at the key management service; providingthe customer the secret encrypted under the restore key; retaining therestore key and destroying the local copy of the secret; in response toa request to store a copy of the secret, the restore request including acopy of the secret encrypted under the restore key, comparing a copy ofmetadata received with the restore request with the copy of theencrypted metadata; authorizing the restore request based at least inpart on the comparing; and decrypting the copy of the secret asencrypted under the restore key using the restore key.
 4. The computerimplemented method of claim 3, further comprising: making available thelocal copy of the secret to the customer to perform one or moreoperations using the local copy of the secret.
 5. The computerimplemented method of claim 4, wherein the secret is associated with atleast one of one or more policies associated with the at least a portionof metadata, an identifier of an account in which the secret isassociated with, a name of the secret, history information regarding useof the secret, or audit information associated with the secret.
 6. Thecomputer implemented method of claim 3, wherein the secret and therestore key are each cryptographic keys.
 7. The computer implementedmethod of claim 6, wherein each of the cryptographic keys is associatedwith usage information operable to support one or more cryptographicoperations, the one or more cryptographic operations including at leastone of an export operation or an import operation.
 8. The computerimplemented method of claim 3, further comprising: in response toproviding the customer a copy of the secret encrypted under the restorekey, flagging the local copy of the secret as pending deletion;destroying any copy of the secret when an acknowledgment of receipt ofthe secret encrypted under the restore key is received; or providing thecustomer a copy of the secret encrypted under the restore key when adetermined amount of time passes before the acknowledgment of receipt isreceived.
 9. The computer implemented method of claim 3, furthercomprising rotating the restore key, wherein rotating the restore keyincludes: encrypting the restore key using a second restore key at anexpiration of a determined interval of time and providing the customer acopy of the restore key encrypted under the second restore key; or inresponse to receiving a copy of the secret encrypted under the restorekey, decrypting the secret encrypted under the restore key andencrypting the secret using a second restore key, wherein a copy of thesecret encrypted under the second restore key is provided to thecustomer.
 10. The computer implemented method of claim 3, furthercomprising: encrypting the restore key under a second restore key;providing a copy of the restore key encrypted under a second key to asecond authorized customer, wherein the customer and the secondauthorized customer are authorized customers of the secret; receiving arestore request, the restore request including a copy of the secretencrypted under the restore key and a copy of the restore key encryptedunder the second key; restoring the restore key encrypted under thesecond key using the second key; and restoring the secret encryptedunder the restore key using the restore key.
 11. The computerimplemented method of claim 4, further comprising: causing anotification to be sent to at least one of each authorized customer ofthe secret or at least one authorized customer of the secret in responseto receiving the restore request.
 12. The computer implemented method ofclaim 11, further comprising: in response to causing the notification tobe sent, decrypting the copy of the secret encrypted under the restorekey using the restore key at an expiration of a predetermined period oftime.
 13. The computer implemented method of claim 3, furthercomprising: splitting the local copy of the secret into at least firstinformation and second information using an information splittingalgorithm; and providing the first information to a first customer andthe second information to a second customer, wherein restoring the localcopy of the secret includes receiving at least the first information andthe second information.
 14. A computing system, comprising: at least oneprocessor; and memory including instructions that, when executed by theat least one processor, cause the computing system to: store, on behalfof a customer, a local copy of a secret usable by a key managementservice; receive a request at the key management service to suspendstorage of the local copy of the secret; encrypt the local copy of thesecret with information usable to obtain the local copy of the secret;encrypt at least a portion of metadata associated with the secret underthe information to generate encrypted metadata, the at least a portionof metadata being associated with the information; update the at least aportion of metadata with audit information and retain a copy of theencrypted metadata at the key management service; provide the customerwith one of the encrypted secret or the information usable toreconstruct the local copy of the secret; destroy at least one copy ofthe local copy of the secret; in response to store a copy of the secret,the restore request including a copy of the secret encrypted under theinformation, comparing a copy of metadata received with the restorerequest with the copy of the encrypted metadata; authorizing the restorerequest based at least in part on the comparing; and decrypting the copyof the secret key as encrypted under the secret using the restore key.15. The computing system of claim 14, wherein the instructions, whenexecuted, further cause the computing system to: make available thelocal copy of the secret to the customer to perform one or moreoperations.
 16. The computing system of claim 14, wherein the secretincludes at least one of one or more policies associated with the atleast a portion of metadata, an identifier of an account in which thesecret is associated with, a name of the secret, history informationregarding usage of the secret, or audit information associated with thesecret; and in response to receiving a restore request to store a copyof the secret, the restore request including a copy of the encryptedsecret and the encrypted metadata, decrypt the copy of the encryptedsecret and the encrypted metadata.
 17. The computing system of claim 14,wherein the secret and the information configured to reconstruct thelocal copy of the secret are cryptographic keys generated by a providerenvironment, and wherein the information configured to reconstruct thelocal copy of the secret is configured to perform one of a suspendoperation or a restore operation.
 18. The computing system of claim 14,further comprising: a key management service within a multi-tenantenvironment operable to at least store, receive, encrypt, provide, anddestroy the secret, and a trusted platform module (TPM) configured tostore the secret, wherein the key management service is further operableto obtain exclusive access to the TPM and manage access to the secretstored on the TPM.
 19. A non-transitory computer readable storage mediumstoring one or more sequences of instructions executable by one or moreprocessors to perform a set of operations comprising: storing, on behalfof a customer, a local copy of a secret; receiving a request at a keymanagement service to suspend storage of the local copy of the secret;encrypting the local copy of the secret with a restore key; encryptingat least a portion of metadata associated with the secret under therestore key to generate encrypted metadata, the at least a portion ofmetadata being associated with the restore key; updating the at least aportion of metadata with audit information and retaining a copy of theencrypted metadata at the key management service; providing the customerwith the restore key; destroying at least one copy of the local copy ofthe secret; in response to a request to store a copy of the secret, therestore request including a copy of the secret encrypted under therestore key, comparing a copy of metadata received with the restorerequest with the copy of the encrypted metadata; authorizing the restorerequest based at least in part on the comparing; and decrypting the copyof the secret key as encrypted under the secret using the restore key.20. The non-transitory computer readable storage medium of claim 19,further comprising instructions executed by the one or more processorsto perform the operations of: making available the local copy of thesecret to the customer to perform one or more operations.
 21. Thenon-transitory computer readable storage medium of claim 19, furthercomprising instructions executed by the one or more processors toperform the operations of: in response to providing the customer a copyof the restore key, flagging the local copy of the secret as pendingdeletion; destroying at least one copy of the secret when anacknowledgment of receipt of the restore key is received; or providingthe customer a copy of the restore key when a determined amount of timepasses before the acknowledgment of receipt is received.
 22. Thenon-transitory computer readable storage medium of claim 19, whereinstoring, receiving, encrypting, providing, and destroying are performedby a key management service within a multi-tenant environment.